# Master configuration file for the QEMU driver.# All settings described here

1. # Master configuration file for the QEMU driver.
2. # All settings described here are optional - if omitted, sensible
3. # defaults are used.
4.  
5. # Use of TLS requires that x509 certificates be issued. The default is
6. # to keep them in /etc/pki/qemu. This directory must contain
7. #
8. # ca-cert.pem - the CA master certificate
9. # server-cert.pem - the server certificate signed with ca-cert.pem
10. # server-key.pem - the server private key
11. #
12. # and optionally may contain
13. #
14. # dh-params.pem - the DH params configuration file
15. #
16. # If the directory does not exist or contain the necessary files, QEMU
17. # domains will fail to start if they are configured to use TLS.
18. #
19. # In order to overwrite the default path alter the following. This path
20. # definition will be used as the default path for other *_tls_x509_cert_dir
21. # configuration settings if their default path does not exist or is not
22. # specifically set.
23. #
24. #default_tls_x509_cert_dir = "/etc/pki/qemu"
25.  
26.  
27. # The default TLS configuration only uses certificates for the server
28. # allowing the client to verify the server's identity and establish
29. # an encrypted channel.
30. #
31. # It is possible to use x509 certificates for authentication too, by
32. # issuing an x509 certificate to every client who needs to connect.
33. #
34. # Enabling this option will reject any client who does not have a
35. # certificate signed by the CA in /etc/pki/qemu/ca-cert.pem
36. #
37. # The default_tls_x509_cert_dir directory must also contain
38. #
39. # client-cert.pem - the client certificate signed with the ca-cert.pem
40. # client-key.pem - the client private key
41. #
42. #default_tls_x509_verify = 1
43.  
44. #
45. # Libvirt assumes the server-key.pem file is unencrypted by default.
46. # To use an encrypted server-key.pem file, the password to decrypt
47. # the PEM file is required. This can be provided by creating a secret
48. # object in libvirt and then to uncomment this setting to set the UUID
49. # of the secret.
50. #
51. # NB This default all-zeros UUID will not work. Replace it with the
52. # output from the UUID for the TLS secret from a 'virsh secret-list'
53. # command and then uncomment the entry
54. #
55. #default_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
56.  
57.  
58. # VNC is configured to listen on 127.0.0.1 by default.
59. # To make it listen on all public interfaces, uncomment
60. # this next option.
61. #
62. # NB, strong recommendation to enable TLS + x509 certificate
63. # verification when allowing public access
64. #
65. #vnc_listen = "0.0.0.0"
66.  
67. # Enable this option to have VNC served over an automatically created
68. # unix socket. This prevents unprivileged access from users on the
69. # host machine, though most VNC clients do not support it.
70. #
71. # This will only be enabled for VNC configurations that have listen
72. # type=address but without any address specified. This setting takes
73. # preference over vnc_listen.
74. #
75. #vnc_auto_unix_socket = 1
76.  
77. # Enable use of TLS encryption on the VNC server. This requires
78. # a VNC client which supports the VeNCrypt protocol extension.
79. # Examples include vinagre, virt-viewer, virt-manager and vencrypt
80. # itself. UltraVNC, RealVNC, TightVNC do not support this
81. #
82. # It is necessary to setup CA and issue a server certificate
83. # before enabling this.
84. #
85. #vnc_tls = 1
86.  
87.  
88. # In order to override the default TLS certificate location for
89. # vnc certificates, supply a valid path to the certificate directory.
90. # If the provided path does not exist then the default_tls_x509_cert_dir
91. # path will be used.
92. #
93. #vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc"
94.  
95.  
96. # The default TLS configuration only uses certificates for the server
97. # allowing the client to verify the server's identity and establish
98. # an encrypted channel.
99. #
100. # It is possible to use x509 certificates for authentication too, by
101. # issuing an x509 certificate to every client who needs to connect.
102. #
103. # Enabling this option will reject any client that does not have a
104. # ca-cert.pem certificate signed by the CA in the vnc_tls_x509_cert_dir
105. # (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem
106. # files described in default_tls_x509_cert_dir.
107. #
108. # If this option is not supplied, it will be set to the value of
109. # "default_tls_x509_verify".
110. #
111. #vnc_tls_x509_verify = 1
112.  
113.  
114. # The default VNC password. Only 8 bytes are significant for
115. # VNC passwords. This parameter is only used if the per-domain
116. # XML config does not already provide a password. To allow
117. # access without passwords, leave this commented out. An empty
118. # string will still enable passwords, but be rejected by QEMU,
119. # effectively preventing any use of VNC. Obviously change this
120. # example here before you set this.
121. #
122. #vnc_password = "XYZ12345"
123.  
124.  
125. # Enable use of SASL encryption on the VNC server. This requires
126. # a VNC client which supports the SASL protocol extension.
127. # Examples include vinagre, virt-viewer and virt-manager
128. # itself. UltraVNC, RealVNC, TightVNC do not support this
129. #
130. # It is necessary to configure /etc/sasl2/qemu.conf to choose
131. # the desired SASL plugin (eg, GSSPI for Kerberos)
132. #
133. #vnc_sasl = 1
134.  
135.  
136. # The default SASL configuration file is located in /etc/sasl2/
137. # When running libvirtd unprivileged, it may be desirable to
138. # override the configs in this location. Set this parameter to
139. # point to the directory, and create a qemu.conf in that location
140. #
141. #vnc_sasl_dir = "/some/directory/sasl2"
142.  
143.  
144. # QEMU implements an extension for providing audio over a VNC connection,
145. # though if your VNC client does not support it, your only chance for getting
146. # sound output is through regular audio backends. By default, libvirt will
147. # disable all QEMU sound backends if using VNC, since they can cause
148. # permissions issues. Enabling this option will make libvirtd honor the
149. # QEMU_AUDIO_DRV environment variable when using VNC.
150. #
151. #vnc_allow_host_audio = 0
152.  
153.  
154.  
155. # SPICE is configured to listen on 127.0.0.1 by default.
156. # To make it listen on all public interfaces, uncomment
157. # this next option.
158. #
159. # NB, strong recommendation to enable TLS + x509 certificate
160. # verification when allowing public access
161. #
162. #spice_listen = "0.0.0.0"
163.  
164.  
165. # Enable use of TLS encryption on the SPICE server.
166. #
167. # It is necessary to setup CA and issue a server certificate
168. # before enabling this.
169. #
170. #spice_tls = 1
171.  
172.  
173. # In order to override the default TLS certificate location for
174. # spice certificates, supply a valid path to the certificate directory.
175. # If the provided path does not exist then the default_tls_x509_cert_dir
176. # path will be used.
177. #
178. #spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"
179.  
180.  
181. # Enable this option to have SPICE served over an automatically created
182. # unix socket. This prevents unprivileged access from users on the
183. # host machine.
184. #
185. # This will only be enabled for SPICE configurations that have listen
186. # type=address but without any address specified. This setting takes
187. # preference over spice_listen.
188. #
189. #spice_auto_unix_socket = 1
190.  
191.  
192. # The default SPICE password. This parameter is only used if the
193. # per-domain XML config does not already provide a password. To
194. # allow access without passwords, leave this commented out. An
195. # empty string will still enable passwords, but be rejected by
196. # QEMU, effectively preventing any use of SPICE. Obviously change
197. # this example here before you set this.
198. #
199. #spice_password = "XYZ12345"
200.  
201.  
202. # Enable use of SASL encryption on the SPICE server. This requires
203. # a SPICE client which supports the SASL protocol extension.
204. #
205. # It is necessary to configure /etc/sasl2/qemu.conf to choose
206. # the desired SASL plugin (eg, GSSPI for Kerberos)
207. #
208. #spice_sasl = 1
209.  
210. # The default SASL configuration file is located in /etc/sasl2/
211. # When running libvirtd unprivileged, it may be desirable to
212. # override the configs in this location. Set this parameter to
213. # point to the directory, and create a qemu.conf in that location
214. #
215. #spice_sasl_dir = "/some/directory/sasl2"
216.  
217. # Enable use of TLS encryption on the chardev TCP transports.
218. #
219. # It is necessary to setup CA and issue a server certificate
220. # before enabling this.
221. #
222. #chardev_tls = 1
223.  
224.  
225. # In order to override the default TLS certificate location for character
226. # device TCP certificates, supply a valid path to the certificate directory.
227. # If the provided path does not exist then the default_tls_x509_cert_dir
228. # path will be used.
229. #
230. #chardev_tls_x509_cert_dir = "/etc/pki/libvirt-chardev"
231.  
232.  
233. # The default TLS configuration only uses certificates for the server
234. # allowing the client to verify the server's identity and establish
235. # an encrypted channel.
236. #
237. # It is possible to use x509 certificates for authentication too, by
238. # issuing an x509 certificate to every client who needs to connect.
239. #
240. # Enabling this option will reject any client that does not have a
241. # ca-cert.pem certificate signed by the CA in the chardev_tls_x509_cert_dir
242. # (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem
243. # files described in default_tls_x509_cert_dir.
244. #
245. # If this option is not supplied, it will be set to the value of
246. # "default_tls_x509_verify".
247. #
248. #chardev_tls_x509_verify = 1
249.  
250.  
251. # Uncomment and use the following option to override the default secret
252. # UUID provided in the default_tls_x509_secret_uuid parameter.
253. #
254. # NB This default all-zeros UUID will not work. Replace it with the
255. # output from the UUID for the TLS secret from a 'virsh secret-list'
256. # command and then uncomment the entry
257. #
258. #chardev_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
259.  
260.  
261. # In order to override the default TLS certificate location for migration
262. # certificates, supply a valid path to the certificate directory. If the
263. # provided path does not exist then the default_tls_x509_cert_dir path
264. # will be used. Once/if a default certificate is enabled/defined, migration
265. # will then be able to use the certificate via migration API flags.
266. #
267. #migrate_tls_x509_cert_dir = "/etc/pki/libvirt-migrate"
268.  
269.  
270. # The default TLS configuration only uses certificates for the server
271. # allowing the client to verify the server's identity and establish
272. # an encrypted channel.
273. #
274. # It is possible to use x509 certificates for authentication too, by
275. # issuing an x509 certificate to every client who needs to connect.
276. #
277. # Enabling this option will reject any client that does not have a
278. # ca-cert.pem certificate signed by the CA in the migrate_tls_x509_cert_dir
279. # (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem
280. # files described in default_tls_x509_cert_dir.
281. #
282. # If this option is not supplied, it will be set to the value of
283. # "default_tls_x509_verify".
284. #
285. #migrate_tls_x509_verify = 1
286.  
287.  
288. # Uncomment and use the following option to override the default secret
289. # UUID provided in the default_tls_x509_secret_uuid parameter.
290. #
291. # NB This default all-zeros UUID will not work. Replace it with the
292. # output from the UUID for the TLS secret from a 'virsh secret-list'
293. # command and then uncomment the entry
294. #
295. #migrate_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
296.  
297.  
298. # By default, if no graphical front end is configured, libvirt will disable
299. # QEMU audio output since directly talking to alsa/pulseaudio may not work
300. # with various security settings. If you know what you're doing, enable
301. # the setting below and libvirt will passthrough the QEMU_AUDIO_DRV
302. # environment variable when using nographics.
303. #
304. #nographics_allow_host_audio = 1
305.  
306.  
307. # Override the port for creating both VNC and SPICE sessions (min).
308. # This defaults to 5900 and increases for consecutive sessions
309. # or when ports are occupied, until it hits the maximum.
310. #
311. # Minimum must be greater than or equal to 5900 as lower number would
312. # result into negative vnc display number.
313. #
314. # Maximum must be less than 65536, because higher numbers do not make
315. # sense as a port number.
316. #
317. #remote_display_port_min = 5900
318. #remote_display_port_max = 65535
319.  
320. # VNC WebSocket port policies, same rules apply as with remote display
321. # ports. VNC WebSockets use similar display <-> port mappings, with
322. # the exception being that ports start from 5700 instead of 5900.
323. #
324. #remote_websocket_port_min = 5700
325. #remote_websocket_port_max = 65535
326.  
327. # The default security driver is SELinux. If SELinux is disabled
328. # on the host, then the security driver will automatically disable
329. # itself. If you wish to disable QEMU SELinux security driver while
330. # leaving SELinux enabled for the host in general, then set this
331. # to 'none' instead. It's also possible to use more than one security
332. # driver at the same time, for this use a list of names separated by
333. # comma and delimited by square brackets. For example:
334. #
335. # security_driver = [ "selinux", "apparmor" ]
336. #
337. # Notes: The DAC security driver is always enabled; as a result, the
338. # value of security_driver cannot contain "dac". The value "none" is
339. # a special value; security_driver can be set to that value in
340. # isolation, but it cannot appear in a list of drivers.
341. #
342. #security_driver = "selinux"
343.  
344. # If set to non-zero, then the default security labeling
345. # will make guests confined. If set to zero, then guests
346. # will be unconfined by default. Defaults to 1.
347. #security_default_confined = 1
348.  
349. # If set to non-zero, then attempts to create unconfined
350. # guests will be blocked. Defaults to 0.
351. #security_require_confined = 1
352.  
353. # The user for QEMU processes run by the system instance. It can be
354. # specified as a user name or as a user id. The qemu driver will try to
355. # parse this value first as a name and then, if the name doesn't exist,
356. # as a user id.
357. #
358. # Since a sequence of digits is a valid user name, a leading plus sign
359. # can be used to ensure that a user id will not be interpreted as a user
360. # name.
361. #
362. # Some examples of valid values are:
363. #
364. # user = "qemu" # A user named "qemu"
365. # user = "+0" # Super user (uid=0)
366. # user = "100" # A user named "100" or a user with uid=100
367. #
368. #user = "nakruf"
369.  
370. # The group for QEMU processes run by the system instance. It can be
371. # specified in a similar way to user.
372. #group="78"
373.  
374. # Whether libvirt should dynamically change file ownership
375. # to match the configured user/group above. Defaults to 1.
376. # Set to 0 to disable file ownership changes.
377. #dynamic_ownership = 1
378.  
379.  
380. # What cgroup controllers to make use of with QEMU guests
381. #
382. # - 'cpu' - use for schedular tunables
383. # - 'devices' - use for device whitelisting
384. # - 'memory' - use for memory tunables
385. # - 'blkio' - use for block devices I/O tunables
386. # - 'cpuset' - use for CPUs and memory nodes
387. # - 'cpuacct' - use for CPUs statistics.
388. #
389. # NB, even if configured here, they won't be used unless
390. # the administrator has mounted cgroups, e.g.:
391. #
392. # mkdir /dev/cgroup
393. # mount -t cgroup -o devices,cpu,memory,blkio,cpuset none /dev/cgroup
394. #
395. # They can be mounted anywhere, and different controllers
396. # can be mounted in different locations. libvirt will detect
397. # where they are located.
398. #
399. #cgroup_controllers = [ "cpu", "devices", "memory", "blkio", "cpuset", "cpuacct" ]
400.  
401. # This is the basic set of devices allowed / required by
402. # all virtual machines.
403. #
404. # As well as this, any configured block backed disks,
405. # all sound device, and all PTY devices are allowed.
406. #
407. # This will only need setting if newer QEMU suddenly
408. # wants some device we don't already know about.
409. #
410. #cgroup_device_acl = [
411. # "/dev/null", "/dev/full", "/dev/zero",
412. # "/dev/random", "/dev/urandom",
413. # "/dev/ptmx", "/dev/kvm", "/dev/kqemu",
414. # "/dev/rtc","/dev/hpet"
415. #]
416. #
417. # RDMA migration requires the following extra files to be added to the list:
418. # "/dev/infiniband/rdma_cm",
419. # "/dev/infiniband/issm0",
420. # "/dev/infiniband/issm1",
421. # "/dev/infiniband/umad0",
422. # "/dev/infiniband/umad1",
423. # "/dev/infiniband/uverbs0"
424.  
425.  
426. # The default format for QEMU/KVM guest save images is raw; that is, the
427. # memory from the domain is dumped out directly to a file. If you have
428. # guests with a large amount of memory, however, this can take up quite
429. # a bit of space. If you would like to compress the images while they
430. # are being saved to disk, you can also set "lzop", "gzip", "bzip2", or "xz"
431. # for save_image_format. Note that this means you slow down the process of
432. # saving a domain in order to save disk space; the list above is in descending
433. # order by performance and ascending order by compression ratio.
434. #
435. # save_image_format is used when you use 'virsh save' or 'virsh managedsave'
436. # at scheduled saving, and it is an error if the specified save_image_format
437. # is not valid, or the requested compression program can't be found.
438. #
439. # dump_image_format is used when you use 'virsh dump' at emergency
440. # crashdump, and if the specified dump_image_format is not valid, or
441. # the requested compression program can't be found, this falls
442. # back to "raw" compression.
443. #
444. # snapshot_image_format specifies the compression algorithm of the memory save
445. # image when an external snapshot of a domain is taken. This does not apply
446. # on disk image format. It is an error if the specified format isn't valid,
447. # or the requested compression program can't be found.
448. #
449. #save_image_format = "raw"
450. #dump_image_format = "raw"
451. #snapshot_image_format = "raw"
452.  
453. # When a domain is configured to be auto-dumped when libvirtd receives a
454. # watchdog event from qemu guest, libvirtd will save dump files in directory
455. # specified by auto_dump_path. Default value is /var/lib/libvirt/qemu/dump
456. #
457. #auto_dump_path = "/var/lib/libvirt/qemu/dump"
458.  
459. # When a domain is configured to be auto-dumped, enabling this flag
460. # has the same effect as using the VIR_DUMP_BYPASS_CACHE flag with the
461. # virDomainCoreDump API. That is, the system will avoid using the
462. # file system cache while writing the dump file, but may cause
463. # slower operation.
464. #
465. #auto_dump_bypass_cache = 0
466.  
467. # When a domain is configured to be auto-started, enabling this flag
468. # has the same effect as using the VIR_DOMAIN_START_BYPASS_CACHE flag
469. # with the virDomainCreateWithFlags API. That is, the system will
470. # avoid using the file system cache when restoring any managed state
471. # file, but may cause slower operation.
472. #
473. #auto_start_bypass_cache = 0
474.  
475. # If provided by the host and a hugetlbfs mount point is configured,
476. # a guest may request huge page backing. When this mount point is
477. # unspecified here, determination of a host mount point in /proc/mounts
478. # will be attempted. Specifying an explicit mount overrides detection
479. # of the same in /proc/mounts. Setting the mount point to "" will
480. # disable guest hugepage backing. If desired, multiple mount points can
481. # be specified at once, separated by comma and enclosed in square
482. # brackets, for example:
483. #
484. # hugetlbfs_mount = ["/dev/hugepages2M", "/dev/hugepages1G"]
485. #
486. # The size of huge page served by specific mount point is determined by
487. # libvirt at the daemon startup.
488. #
489. # NB, within these mount points, guests will create memory backing
490. # files in a location of $MOUNTPOINT/libvirt/qemu
491. #
492. #hugetlbfs_mount = "/dev/hugepages"
493.  
494.  
495. # Path to the setuid helper for creating tap devices. This executable
496. # is used to create <source type='bridge'> interfaces when libvirtd is
497. # running unprivileged. libvirt invokes the helper directly, instead
498. # of using "-netdev bridge", for security reasons.
499. #bridge_helper = "/usr/lib/qemu/qemu-bridge-helper"
500.  
501.  
502.  
503. # If clear_emulator_capabilities is enabled, libvirt will drop all
504. # privileged capabilities of the QEmu/KVM emulator. This is enabled by
505. # default.
506. #
507. # Warning: Disabling this option means that a compromised guest can
508. # exploit the privileges and possibly do damage to the host.
509. #
510. #clear_emulator_capabilities = 1
511.  
512.  
513. # If enabled, libvirt will have QEMU set its process name to
514. # "qemu:VM_NAME", where VM_NAME is the name of the VM. The QEMU
515. # process will appear as "qemu:VM_NAME" in process listings and
516. # other system monitoring tools. By default, QEMU does not set
517. # its process title, so the complete QEMU command (emulator and
518. # its arguments) appear in process listings.
519. #
520. #set_process_name = 1
521.  
522.  
523. # If max_processes is set to a positive integer, libvirt will use
524. # it to set the maximum number of processes that can be run by qemu
525. # user. This can be used to override default value set by host OS.
526. # The same applies to max_files which sets the limit on the maximum
527. # number of opened files.
528. #
529. #max_processes = 0
530. #max_files = 0
531.  
532. # If max_core is set to a non-zero integer, then QEMU will be
533. # permitted to create core dumps when it crashes, provided its
534. # RAM size is smaller than the limit set.
535. #
536. # Be warned that the core dump will include a full copy of the
537. # guest RAM, if the 'dump_guest_core' setting has been enabled,
538. # or if the guest XML contains
539. #
540. # <memory dumpcore="on">...guest ram...</memory>
541. #
542. # If guest RAM is to be included, ensure the max_core limit
543. # is set to at least the size of the largest expected guest
544. # plus another 1GB for any QEMU host side memory mappings.
545. #
546. # As a special case it can be set to the string "unlimited" to
547. # to allow arbitrarily sized core dumps.
548. #
549. # By default the core dump size is set to 0 disabling all dumps
550. #
551. # Size is a positive integer specifying bytes or the
552. # string "unlimited"
553. #
554. #max_core = "unlimited"
555.  
556. # Determine if guest RAM is included in QEMU core dumps. By
557. # default guest RAM will be excluded if a new enough QEMU is
558. # present. Setting this to '1' will force guest RAM to always
559. # be included in QEMU core dumps.
560. #
561. # This setting will be ignored if the guest XML has set the
562. # dumpcore attribute on the <memory> element.
563. #
564. #dump_guest_core = 1
565.  
566. # mac_filter enables MAC addressed based filtering on bridge ports.
567. # This currently requires ebtables to be installed.
568. #
569. #mac_filter = 1
570.  
571.  
572. # By default, PCI devices below non-ACS switch are not allowed to be assigned
573. # to guests. By setting relaxed_acs_check to 1 such devices will be allowed to
574. # be assigned to guests.
575. #
576. #relaxed_acs_check = 1
577.  
578.  
579. # If allow_disk_format_probing is enabled, libvirt will probe disk
580. # images to attempt to identify their format, when not otherwise
581. # specified in the XML. This is disabled by default.
582. #
583. # WARNING: Enabling probing is a security hole in almost all
584. # deployments. It is strongly recommended that users update their
585. # guest XML <disk> elements to include <driver type='XXXX'/>
586. # elements instead of enabling this option.
587. #
588. #allow_disk_format_probing = 1
589.  
590.  
591. # In order to prevent accidentally starting two domains that
592. # share one writable disk, libvirt offers two approaches for
593. # locking files. The first one is sanlock, the other one,
594. # virtlockd, is then our own implementation. Accepted values
595. # are "sanlock" and "lockd".
596. #
597. #lock_manager = "lockd"
598.  
599.  
600.  
601. # Set limit of maximum APIs queued on one domain. All other APIs
602. # over this threshold will fail on acquiring job lock. Specially,
603. # setting to zero turns this feature off.
604. # Note, that job lock is per domain.
605. #
606. #max_queued = 0
607.  
608. ###################################################################
609. # Keepalive protocol:
610. # This allows qemu driver to detect broken connections to remote
611. # libvirtd during peer-to-peer migration. A keepalive message is
612. # sent to the daemon after keepalive_interval seconds of inactivity
613. # to check if the daemon is still responding; keepalive_count is a
614. # maximum number of keepalive messages that are allowed to be sent
615. # to the daemon without getting any response before the connection
616. # is considered broken. In other words, the connection is
617. # automatically closed approximately after
618. # keepalive_interval * (keepalive_count + 1) seconds since the last
619. # message received from the daemon. If keepalive_interval is set to
620. # -1, qemu driver will not send keepalive requests during
621. # peer-to-peer migration; however, the remote libvirtd can still
622. # send them and source libvirtd will send responses. When
623. # keepalive_count is set to 0, connections will be automatically
624. # closed after keepalive_interval seconds of inactivity without
625. # sending any keepalive messages.
626. #
627. #keepalive_interval = 5
628. #keepalive_count = 5
629.  
630.  
631.  
632. # Use seccomp syscall whitelisting in QEMU.
633. # 1 = on, 0 = off, -1 = use QEMU default
634. # Defaults to -1.
635. #
636. #seccomp_sandbox = 1
637.  
638.  
639. # Override the listen address for all incoming migrations. Defaults to
640. # 0.0.0.0, or :: if both host and qemu are capable of IPv6.
641. #migration_address = "0.0.0.0"
642.  
643.  
644. # The default hostname or IP address which will be used by a migration
645. # source for transferring migration data to this host. The migration
646. # source has to be able to resolve this hostname and connect to it so
647. # setting "localhost" will not work. By default, the host's configured
648. # hostname is used.
649. #migration_host = "host.example.com"
650.  
651.  
652. # Override the port range used for incoming migrations.
653. #
654. # Minimum must be greater than 0, however when QEMU is not running as root,
655. # setting the minimum to be lower than 1024 will not work.
656. #
657. # Maximum must not be greater than 65535.
658. #
659. #migration_port_min = 49152
660. #migration_port_max = 49215
661.  
662.  
663.  
664. # Timestamp QEMU's log messages (if QEMU supports it)
665. #
666. # Defaults to 1.
667. #
668. #log_timestamp = 0
669.  
670.  
671. # Location of master nvram file
672. #
673. # When a domain is configured to use UEFI instead of standard
674. # BIOS it may use a separate storage for UEFI variables. If
675. # that's the case libvirt creates the variable store per domain
676. # using this master file as image. Each UEFI firmware can,
677. # however, have different variables store. Therefore the nvram is
678. # a list of strings when a single item is in form of:
679. # ${PATH_TO_UEFI_FW}:${PATH_TO_UEFI_VARS}.
680. # Later, when libvirt creates per domain variable store, this list is
681. # searched for the master image. The UEFI firmware can be called
682. # differently for different guest architectures. For instance, it's OVMF
683. # for x86_64 and i686, but it's AAVMF for aarch64. The libvirt default
684. # follows this scheme.
685. #nvram = [
686. # "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd",
687. # "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd",
688. # "/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd",
689. # "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd"
690. #]
691.  
692. # The backend to use for handling stdout/stderr output from
693. # QEMU processes.
694. #
695. # 'file': QEMU writes directly to a plain file. This is the
696. # historical default, but allows QEMU to inflict a
697. # denial of service attack on the host by exhausting
698. # filesystem space
699. #
700. # 'logd': QEMU writes to a pipe provided by virtlogd daemon.
701. # This is the current default, providing protection
702. # against denial of service by performing log file
703. # rollover when a size limit is hit.
704. #
705. #stdio_handler = "logd"
706.  
707. # QEMU gluster libgfapi log level, debug levels are 0-9, with 9 being the
708. # most verbose, and 0 representing no debugging output.
709. #
710. # The current logging levels defined in the gluster GFAPI are:
711. #
712. # 0 - None
713. # 1 - Emergency
714. # 2 - Alert
715. # 3 - Critical
716. # 4 - Error
717. # 5 - Warning
718. # 6 - Notice
719. # 7 - Info
720. # 8 - Debug
721. # 9 - Trace
722. #
723. # Defaults to 4
724. #
725. #gluster_debug_level = 9
726.  
727. # To enhance security, QEMU driver is capable of creating private namespaces
728. # for each domain started. Well, so far only "mount" namespace is supported. If
729. # enabled it means qemu process is unable to see all the devices on the system,
730. # only those configured for the domain in question. Libvirt then manages
731. # devices entries throughout the domain lifetime. This namespace is turned on
732. # by default.
733. #namespaces = [ "mount" ]
734.  
735. # This directory is used for memoryBacking source if configured as file.
736. # NOTE: big files will be stored here
737. #memory_backing_dir = "/var/lib/libvirt/qemu/ram"
738.  
739. nvram = [
740. "/usr/share/ovmf/ovmf_code_x64.bin:/usr/share/ovmf/ovmf_vars_x64.bin"
741. ]